Apache authentication can be configured to require web site visitors to login with a user id
and password. This is different than adding a login form on a web page
and creating your own authentication. This tutorial describes the various
methods available for authentication with Apache and its' configuration.
Login protection is applied to the web pages stored in a directory.
The login dialog box which requests the user id and password is provided by
the web browser at the request of Apache.
Apache allows the configuration to be entered in its' configuration files
(i.e. main configuration file /etc/httpd/conf/httpd.conf,
supplementary configuration files /etc/httpd/conf.d/component.conf
or in a file which resides within the directory to be password
protected.
Five forms of authentication are detailed here: Apache password file
authentication, digest file authentication, LDAP, NIS and MySQL.

Apache authentication methods using local files to store passwords, have no
association with system user accounts. If using LDAP or NIS for system login
authentication, its use can be extended to support Apache web site logins.

Terms:

Authentication: Prove it is you. Authenticate the login by requiring a password only the user would know.

Authorization: Only certain users or members of a privaleged group are allowed.

Typically Authentication or Authentication and Authorization are required for access.

Apache configuration files: (refered to generically in this tutorial as httpd.conf or reside as the file .htpasswd, in the directory being protected.)

The creation and addition of two files specifying the actual logins and passwords. (.htaccess and .htpasswd)

Use this sparingly because Apache will have to check all directories and
subdirectories specified
in the configuration file for the existence of the .htaccess file adding to
a servers latency.

When trying to access a file in a protected directory, the user will be
presented with a window (dialog box) requesting a username and password.
This protection applies to all sub-directories. Other .htaccess files in
sub directories may respecify access rules.

Apache authentication uses the modules mod_auth and mod_access.

Apache configuration file:

File: /etc/httpd/conf/httpd.conf (older systems used access.conf)

Default: This disables the processing of .htaccess files for the system.

Also see: List of Apache directives. If an incorrect directive is used in the .htaccess file it
will result in a server error. Check your log files: /var/log/httpd/error_log.
The name of the access file .htaccess is specified by the httpd.conf
directive AccessFileName.

Create (or clobber if it already exists) the password file /home/domain/public_html/membersonly/.htpasswd
using the program htpasswd:

Placing Authentication directives in httpd.conf exclusively instead of using .htaccess:

The purpose of using the "distributed configuration file" .htaccess
is so that users may control authentication. It can also be set in the
Apache configuration file httpd.conf WITHOUT using the .htaccess file. This can improve server performance as the server will not have to look for the .htaccess file in each subdirectory.

This method authenticates using Apache 2.0/2.2 and the LDAP authentication modules on Linux (supplied by default with most Linux distros) and an LDAP server.
LDAP can be used to authenticate user accounts on Linux and other computer systems as well as web site logins.
Also see YoLinux TUTORIAL: LDAP system authentication.

Try this out with your Apache server authenticating to our open LDAP server
using our Three Stooges example.

Apache LDAP modules:

Note that the following configurations work if the LDAP modules are enabled:

Allow users (LDAP attribute: memberUid) in group gidNumber: 100 of objectClass: posixGroup which match to the login uid, authentication approval.
The directive AuthLDAPGroupAttribute identifies the attribute to match with the login uid.

Multiple Require ldap-group ... statements may be included to allow multiple groups.

Multiple Require ldap-attribute ... statements may be included to allow multiple groups.

The directive Satisfy any is required if testing multiple conditions. Only one positive in any of the conditions is required to authenticate.
Thus you can combine the following authorization schemes as well:

Require ldap-user

Require ldap-dn

Require ldap-attribute

Require ldap-filter

Concurrent File and LDAP authentication:

Apache can use both File and LDAP authentication concurently.
This is sometimes required to run cron jobs with a login where you do not want to use a system login or login managed by a directory server in another department.

<Directory /ABC>
Order deny,allow
Deny from All
AuthType Basic
AuthBasicProvider file ldap
AuthName "Directory services login"
AuthBasicAuthoritative off
AuthUserFile /srv/htpasswd
AuthGroupFile /dev/null
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.megacorp.com:389/ou=person,o=megacorp.com,c=us?uid?sub"
# This user created for local cron jobs. It is not a system user and allows
# the cron job to perform its task.
# This user is not in the LDAP directory but in the password file /srv/htpasswd
Require user cronuserjobx
Require ldap-user usera userb
</Directory>

This method authenticates using Apache on Linux and an NIS server.
The advantage of using NIS, is the
comonality of computer system accounts and web site logins.
This configuration requires that the system the Apache web server is
running on, must be using NIS authentication for system logins.

Passwords can also be sent over an encrypted https connection by use of the Apache directive SSLRequireSSL.
See Apache SSL/TLS encryption

[Potential Pitfall]:
This method of authentication will fail if using "adjunct password maps".
This Perl module requires the use of the library call yp_match()
which must have access to the encrypted passwords. If "adjunct password maps"
are used, then this is not accessible to processes other than root thus
the web server daemon process apache will not be able to access the data required.
Test your system using the command ypcat passwd | head.
If the second field is prefixed with "##", then this perl module will not work.
If the second field is an encrypted password, then this perl module can work.

CGI to allow users to modify their NIS Passwords:

For those users who get a shell of /sbin/nologin, the "cgipaf" web interface is ideal for user management of NIS passwords.
Cgipaf uses PHP, cgi (written in C) and your system PAM authentication (or /etc/passwd, /etc/shadow files). Cgipaf also can manage mail accounts using procmail.

require valid-user: Allow all users if authentication (password) is correct.

require user greg phil bob: Allow only greg phil bob to login.

require group accounting: Allow only users in group "accounting" to authenticate.

Directives:

Directive

Description

AuthMySQLEnable On

If 'Off', MySQL authentication will pass on the authentication job to the other authentication modules i.e password files.

AuthMySQLHost host_name

Name of MySQL Database hosr. i.e. 'localhost'

AuthMySQLPort TCP_Port_number

Port number of MySQL Database. Default: 3306

AuthMySQLDB database_name

Name of MySQL Database.

AuthMySQLUser user_id

MySQL Database login id.

AuthMySQLPassword user_password

MySQL Database login password. Plain text.

AuthMySQLUserTable user_table_name

Name of MySQL Databse table in the database which holds the user name and passwords.

AuthMySQLGroupTable group_table_name

Databse table holding group info.

AuthMySQLNameField user_field_name

If not using default field name 'user_name', then specify. Not case sensitive id CHAR or VARCHAR.

AuthMySQLPasswordField password_field_name

If not using default field name 'user_passwd', then specify. Passwords are case sensitive.

AuthMySQLGroupField group_field_name

If not using default field name 'groups', then specify.

AuthMySQLNoPasswd Off

Off: Passwords can be null ('').
On: password must be specified.

AuthMySQLPwEncryption none

Options: none, crypt, scrambled (MySQL password encryption), md5, aes, sha. If you are going to use plain-text passwords for mysql authentication, you must include this directive with the argument "none".

AuthMySQLSaltField salt_string mysql_column_name

Salt field to be used for crypt and aes.

AuthMySQLAuthoritative on

Authenticate using other authentication modules
after the user is successfully authenticated by the MySQL auth module.
Default on: request is not passed on.

Here is a trick to incorporate a login and password into a URL. Typicall
one would attempt to enter the password protected area of the web site
and the user
would be confronted with a login dialog box into which one would enter
the user id and password.
Another option is to enter a URL with the login and password embedded.